Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(24)

Unified Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

Issue 2428473004: Remove the 'reflected-xss' directive from CSP. (Closed)
Patch Set: Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
index bcb25c1adc6296fbb7d605889c8c4aabe919adab..595e7b8bcf94a1b73bb4b5fbfb8f5992736a0135 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
@@ -51,7 +51,6 @@ CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy,
m_headerType(type),
m_headerSource(source),
m_hasSandboxPolicy(false),
- m_reflectedXSSDisposition(ReflectedXSSUnset),
m_didSetReferrerPolicy(false),
m_referrerPolicy(ReferrerPolicyDefault),
m_strictMixedContentCheckingEnforced(false),
@@ -1060,56 +1059,6 @@ void CSPDirectiveList::enableInsecureRequestsUpgrade(const String& name,
m_policy->reportValueForEmptyDirective(name, value);
}
-void CSPDirectiveList::parseReflectedXSS(const String& name,
- const String& value) {
- if (m_reflectedXSSDisposition != ReflectedXSSUnset) {
- m_policy->reportDuplicateDirective(name);
- m_reflectedXSSDisposition = ReflectedXSSInvalid;
- return;
- }
-
- if (value.isEmpty()) {
- m_reflectedXSSDisposition = ReflectedXSSInvalid;
- m_policy->reportInvalidReflectedXSS(value);
- return;
- }
-
- Vector<UChar> characters;
- value.appendTo(characters);
-
- const UChar* position = characters.data();
- const UChar* end = position + characters.size();
-
- skipWhile<UChar, isASCIISpace>(position, end);
- const UChar* begin = position;
- skipWhile<UChar, isNotASCIISpace>(position, end);
-
- StringView token(begin, position - begin);
-
- // value1
- // ^
- if (equalIgnoringCase("allow", token)) {
- m_reflectedXSSDisposition = AllowReflectedXSS;
- } else if (equalIgnoringCase("filter", token)) {
- m_reflectedXSSDisposition = FilterReflectedXSS;
- } else if (equalIgnoringCase("block", token)) {
- m_reflectedXSSDisposition = BlockReflectedXSS;
- } else {
- m_reflectedXSSDisposition = ReflectedXSSInvalid;
- m_policy->reportInvalidReflectedXSS(value);
- return;
- }
-
- skipWhile<UChar, isASCIISpace>(position, end);
- if (position == end && m_reflectedXSSDisposition != ReflectedXSSUnset)
- return;
-
- // value1 value2
- // ^
- m_reflectedXSSDisposition = ReflectedXSSInvalid;
- m_policy->reportInvalidReflectedXSS(value);
-}
-
void CSPDirectiveList::parseReferrer(const String& name, const String& value) {
m_didSetReferrerPolicy = true;
@@ -1200,8 +1149,6 @@ void CSPDirectiveList::addDirective(const String& name, const String& value) {
setCSPDirective<SourceListDirective>(name, value, m_formAction);
} else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) {
setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
- } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) {
- parseReflectedXSS(name, value);
} else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) {
parseReferrer(name, value);
} else if (equalIgnoringCase(

Powered by Google App Engine
This is Rietveld 408576698